b'March 2008\nReport No. AUD-08-006\n\n\nFDIC\xe2\x80\x99s Replacement and Disposal\nProcess for Laptop Computers\n\n\n\n\n            AUDIT REPORT\n\x0c                                                 Report No. AUD-08-006                                          March 2008\n\n                                                 FDIC\xe2\x80\x99s Replacement and Disposal Process\n                                                 for Laptop Computers\n  Federal Deposit Insurance Corporation\n\n\nWhy We Did The Audit                             Audit Results\n\nThe objective of the audit was to                The FDIC established and implemented generally adequate controls over\ndetermine whether the FDIC had                   the replacement and disposal process for laptop computers. Specifically,\nestablished and implemented adequate             we noted that the FDIC had implemented a consistent and complete\ncontrols over the replacement and                deployment of laptop computers during 2007 in each of the offices we\ndisposal process for laptop computers.           reviewed. Further, DIT personnel at each location we visited maintained\n                                                 documentation in accordance with the DIT Guidelines. All 3,905 laptop\n                                                 computers purchased by the FDIC were received and recorded in the\nBackground                                       FDIC\xe2\x80\x99s Remedy\xc2\xae laptop inventory within the timeframes established by\n                                                 DIT. Finally, as stipulated in the new laptop purchase order, the FDIC\nDuring 2007, the FDIC purchased 3,905            received a discount for its used laptop computers.\nLenovo T60 Thinkpad laptop computers\nand related hardware for a total cost of         We also found that opportunities exist for the FDIC to enhance controls\napproximately $7.8 million. The new              for the continuous replacement and disposal process for laptop computers\nlaptops would provide FDIC employees             in the following areas. It is important to note that the FDIC will continue\nwith faster system/software perform-             to replace malfunctioning computers.\nance, extended battery life, increased\ndisk storage space, and a larger display               \xe2\x80\xa2   FDIC Circular 1380.3 does not reflect the current business\nscreen. In addition, the new laptops                       environment for managing the FDIC\xe2\x80\x99s laptop computer\ninclude Pointsec for PC (Pointsec)\n                                                           inventory and does not define the FDIC\xe2\x80\x99s policy for the\nencryption software to enhance the\nsecurity of corporate data. The FDIC\xe2\x80\x99s                     disposal of laptop computer hard drives. This limits the\nDivision of Information Technology                         FDIC\xe2\x80\x99s assurance that its laptop computer inventory, including\n(DIT) was responsible for the 2007                         hard drives that may contain sensitive information, are\nlaptop deployment project.                                 effectively managed.\n\nFDIC Circular 1380.3, Laptop Computer                  \xe2\x80\xa2   Current hard drive destruction practices present a risk that a\nAssignments, Safeguards, and Asset                         computer hard drive could be lost and subject to unauthorized\nManagement, dated April 1999,                              access.\nestablishes policies and procedures for\nmanaging FDIC-owned laptop                             \xe2\x80\xa2   Remedy\xc2\xae lacks sufficient access controls to ensure that\ncomputers throughout their life cycle. In                  complete and accurate inventory records are maintained for the\naddition, in July 2007, DIT issued                         FDIC\xe2\x80\x99s laptop computers and does not track replacement laptops\nGuidelines for New Laptop Deployment                       for malfunctioning computers. These control deficiencies limit\n(DIT Guidelines), which provides                           the FDIC\xe2\x80\x99s assurance regarding the integrity of its laptop\ndetailed procedures for the replacement                    computer inventory.\nand disposal of laptops, including\nprocedures for the disposition of the\nhard drives from used laptops in order to        Recommendations and Management Response\nprotect sensitive data they may contain.\n                                                 We recommended that FDIC management (1) update Circular 1380.3 to\nAn inventory of laptop computers                 reflect the FDIC\xe2\x80\x99s current business environment for managing its laptop\nowned by the FDIC is maintained in the           computer inventory and to define policy for the disposal of hard drives;\nFDIC\xe2\x80\x99s Remedy\xc2\xae Asset Management                  (2) implement additional measures that mitigate the risk of a computer\nModule. DIT used Remedy\xc2\xae to track                hard drive being lost during the destruction process and subject to\nthe deployment of the new laptop                 unauthorized access; and (3) establish procedures to track and record the\ncomputers and the collection of used             replacement of laptop computers returned to the vendor for replacement\nlaptops.                                         or service. Management concurred with our recommendations and is\n                                                 taking responsive corrective actions.\n\nTo view the full report, go to www.fdicig.gov/2008reports.asp\n\x0cContents                                                            Page\n\n\nBACKGROUND                                                            1\n  Guidance Related to Laptop Computers                                2\n    DIT Guidelines on Laptops                                         2\n    FDIC Policies and Procedures Related to Laptops                   2\n    Federal Law and Guidelines                                        3\n  The FDIC\xe2\x80\x99s Laptop Deployment Process                                3\n\nRESULTS OF AUDIT                                                      5\n\nFDIC POLICIES AND PROCEDURES FOR MANAGING THE                         6\nLAPTOP COMPUTER INVENTORY\n  Changes in the FDIC\xe2\x80\x99s Business Environment and Procedures for       6\n  Managing Laptop Computers\n  Laptop Computer Hard Drives                                         7\n  Recommendation on FDIC Policies and Procedures for Managing the     7\n  Laptop Computer Inventory\n\nHARD DRIVE DESTRUCTION PRACTICES                                      7\n Current Destruction Process for Hard Drives                          7\n Plans for Destroying Additional Hard Drives                          8\n Recommendation on Hard Drive Destruction Practices                   8\n\nTHE FDIC\xe2\x80\x99s ASSET MANAGEMENT MODULE                                    8\n  Data Controls in the Remedy\xc2\xae Inventory System                       9\n  Laptops Returned to the Vendor                                      9\n  Recommendation on Procedures for Tracking Replacement Laptops      10\n\nCORPORATION COMMENTS AND OIG EVALUATION                              10\n\nAPPENDICES\n  1. OBJECTIVE, SCOPE, AND METHODOLOGY                               11\n  2. CORPORATION COMMENTS                                            14\n  3. MANAGEMENT RESPONSE TO RECOMMENDATIONS                          16\n\nTABLE\n  Summary of Control Enhancements Needed                              5\n\nFIGURES\n  1. Hard Drive Destruction at the Recycling Facility                 2\n  2. The FDIC\xe2\x80\x99s 2007 Replacement and Disposal Process for Laptop      4\n     Computers\n\x0c    Federal Deposit Insurance Corporation                                                               Office of Audits\n    3501 Fairfax Drive, Arlington, VA 22226                                                Office of Inspector General\n\n\n    DATE:                                     March 12, 2008\n\n    MEMORANDUM TO:                            Michael E. Bartell\n                                              Chief Information Officer and\n                                              Director, Division of Information Technology\n\n\n                                              /Signed/\n    FROM:                                     Russell A. Rau\n                                              Assistant Inspector General for Audits\n\n    SUBJECT:                                  FDIC\xe2\x80\x99s Replacement and Disposal Process for Laptop\n                                              Computers (Report No. AUD-08-006)\n\n\n    This report presents the results of the subject audit. The FDIC\xe2\x80\x99s Division of Information\n    Technology (DIT) was responsible for the 2007 laptop computer deployment project to\n    upgrade the FDIC\xe2\x80\x99s laptop computer inventory. The objective of the audit was to\n    determine whether the FDIC had established and implemented adequate controls over the\n    replacement and disposal process for laptop computers. We conducted this performance\n    audit in accordance with generally accepted government auditing standards. Appendix 1\n    of this report discusses our audit objective, scope, and methodology in detail.\n\n\nBACKGROUND\n\n    Under a contract with SRA International, Inc. (SRA), the FDIC purchased 3,905 Lenovo\n    T60 Thinkpad laptop computers and related hardware from World Wide Technology, Inc.\n    (WWT) for a total cost of approximately $7.8 million. The new laptop computers\n    provide FDIC employees with faster system/software performance, extended battery life,\n    increased disk storage space, and a larger display screen. In addition, the new laptop\n    computers were deployed with Pointsec for PC (Pointsec) 1 encryption software to\n    enhance the security of corporate data. Under the laptop computer purchase order, the\n    FDIC received a discount for trading in its used laptop computers, without the hard\n    drives.\n\n\n\n\n    1\n     Pointsec encrypts all data on the laptop computer\xe2\x80\x99s hard drive as a safeguard in the event the laptop is lost\n    or stolen.\n\x0c      A record of all laptop computers owned by the FDIC is maintained in Remedy\xc2\xae, 2 which\n      also includes the assignment history of the laptops. DIT used Remedy\xc2\xae to track the\n      deployment of the new laptop computers and the collection of the used laptops.\n\n\nGuidance Related to Laptop Computers\n\n      DIT Guidelines on Laptops. In July 2007, DIT issued Division of Information\n      Technology Guidelines for New Laptop Deployment (DIT Guidelines), which provides\n      detailed procedures for the replacement and disposal of laptop computers. The DIT\n      Guidelines also provide procedures for the storage and destruction of the hard drives\n      from used laptops in order to protect sensitive data the hard drives may contain.\n      Specifically, the DIT Guidelines state that the DIT Distribution Center (DDC) is\n      responsible for ensuring that used laptop computer hard drives are destroyed by\n      shredding. At the time of our audit, DDC personnel were destroying laptop computer\n      hard drives by transporting them to a suburban Washington, D.C., recycling facility\n      where the hard drives were placed into an automobile that was then crushed and fed into\n      an industrial shredding machine (see Figure 1 below). DDC personnel are to remain on-\n      site to witness the shredding.\n\n      Figure 1: Hard Drive Destruction at the Recycling Facility\n\n\n\n\n      Source: OIG observation of the hard drive destruction at the recycling facility.\n\n\n\n      FDIC Policies and Procedures Related to Laptops. The FDIC has established the\n      following policies and procedures that relate to the replacement and disposal process for\n      laptop computers:\n\n          \xe2\x80\xa2    FDIC Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset\n               Management, dated April 13, 1999, establishes policies and procedures for\n               managing FDIC-owned laptop computers throughout their life cycle.\n\n\n\n      2\n       Remedy\xc2\xae consists of a suite of applications used for incident, problem change, service-level, and asset\n      management. DIT uses the Asset Management Module of Remedy\xc2\xae to track laptop computers.\n\n\n                                                            2\n\x0c          \xe2\x80\xa2   FDIC Circular 3200.1, Disposition of Corporation-Owned Property, dated\n              August 25, 2004, establishes procedures for ensuring that Corporation-owned\n              property is reallocated and/or disposed of in a uniform and effective manner; and\n\n          \xe2\x80\xa2   FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007,\n              establishes policy on protecting sensitive information stored on FDIC laptop\n              computers.\n\n\n      Federal Law and Guidelines. The following summarizes federal guidance related to the\n      destruction of laptop computer hard drives.\n\n          \xe2\x80\xa2   The Federal Information Security Management Act of 2002 (FISMA) defines\n              federal agency responsibilities for information security, including assessing risks\n              associated with, among other things, the unauthorized access to information\n              systems, which includes information technology (IT) equipment. 3 This provision\n              of FISMA requires that federal agencies develop, document, and implement\n              policies and procedures that cost-effectively reduce such information security\n              risks to an acceptable level.\n\n          \xe2\x80\xa2   The National Institute of Standards and Technology (NIST) issued guidelines that\n              federal agencies should consider in relation to information system security. 4\n              NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization, dated\n              September 2006, provides guidelines for organizations to make practical\n              sanitization decisions based on the level of confidentiality of their sensitive\n              information. NIST SP 800-88 recommends the destruction of hard drives\n              containing sensitive information by disintegrating, shredding, pulverizing, or\n              incinerating. Additionally, NIST SP 800-53 Revision 1, Recommended Security\n              Controls for Federal Information Systems, dated December 2006, recommends\n              among other things, that organizations employ appropriate sanitization techniques\n              for their information system media.\n\n\nThe FDIC\xe2\x80\x99s Laptop Deployment Process\n\n      The FDIC\xe2\x80\x99s laptop computer deployment process consisted of retrieving used laptops\n      from FDIC users, migrating user data, configuring new laptops, and removing hard drives\n      from the used laptops. DIT developed a laptop computer deployment schedule using\n      Remedy\xc2\xae, which identified users at each FDIC site. At the FDIC\xe2\x80\x99s headquarters\n      buildings, 5 DIT oversaw the laptop computer deployment, which was conducted by SRA\n      personnel. DIT personnel conducted the laptop computer deployment at the FDIC\xe2\x80\x99s\n\n      3\n        The FDIC has determined that the provision of FISMA at issue here is legally binding on the FDIC.\n      4\n        NIST special publications are, by their own terms, guidelines (rather than mandatory requirements) for\n      agencies in implementing their IT operations.\n      5\n        Headquarters includes two buildings in Washington, D.C., and the Virginia Square buildings in Arlington,\n      Virginia.\n\n\n                                                          3\n\x0c regional and field offices. Figure 2 below further illustrates the FDIC\xe2\x80\x99s 2007\n replacement and disposal process for laptop computers.\n\n           Figure 2: The FDIC\xe2\x80\x99s 2007 Replacement and Disposal Process for\n                              Laptop Computers\n\n\n                             The DDC receives a list of serial numbers from\n                              WWT for new laptops shipped to the FDIC\xe2\x80\x99s\n                                              locations.\n\n\n\n\n                                       The DDC updates Remedy\xc2\xae\n                                       with the serial numbers for\n                                              new laptops.\nSRA/DIT installer                                                                   DIT/SRA\nand the FDIC user                                                                   personnel update\ncomplete and sign                                                                   the laptop\na hand bill receipt.                                                                deployment.\n\n                            At deployment date, the used laptop is removed,\n                              and a new laptop is provided to the user. The\n                             hard drive from the used laptop is removed and\n                               stored for 120 days in the event the data are\n                            needed. The used laptop is then shipped to DDC.         SRA/DIT\n                                                                                    personnel create\nSRA/DIT                                                                             the hard drive\npersonnel                                                                           schedule that\nconducting the                                                                      identifies the\nlaptop deployment                                                                   hard drive serial\nupdate Remedy\xc2\xae                DDC ships used laptops to the asset recovery          number, laptop\nusing the hand bill            servicer for credit and updates Remedy\xc2\xae.             serial number,\ninformation.                                                                        user name, and\n                                                                                    hard drive\n                                                                                    removal and\n                                                                                    destruction dates.\n                             After 120 days, DIT personnel in the regional/\n                             field offices drill four holes into the hard drives\n                             prior to shipping them to the DDC in order to\n                             provide added security in the event a hard drive is\n                             lost during shipment.\n\n\n\n\n                              DDC personnel take all hard drives (those from\n                              headquarters locations and those shipped from\n                              regional/field offices) to a recycling facility for\n                              shredding. Then, DDC personnel update the hard\n                              drive inventory in Remedy\xc2\xae.\n\n\n\n                                               4\n\x0cRESULTS OF AUDIT\n\n    The FDIC established and implemented generally adequate controls over the replacement\n    and disposal process for laptop computers. Specifically, we noted that the FDIC had\n    implemented a consistent and complete deployment of laptop computers during 2007 in\n    each of the offices we reviewed and that DIT personnel at each location we visited\n    maintained documentation in accordance with the DIT Guidelines. 6 In addition, all 3,905\n    laptop computers purchased by the FDIC were received and recorded in the FDIC\xe2\x80\x99s\n    Remedy\xc2\xae laptop inventory within the timeframes established by DIT. Further, as\n    stipulated in the new laptop purchase order, the FDIC received a discount for its used\n    laptop computers. Such results are positive. However, opportunities exist for the FDIC\n    to enhance its controls for the continuous replacement and disposal process for laptop\n    computers (see the table below). It is important to note that the FDIC will continue to\n    replace malfunctioning computers.\n\n    Summary of Control Enhancements Needed\n                         Control Issue                                   Enhancement Needed\n    FDIC Circular 1380.3, Laptop Computer                     Update Circular 1380.3 to reflect the\n    Assignments, Safeguards, and Asset Management,            FDIC\xe2\x80\x99s current business environment for\n    does not reflect the FDIC\xe2\x80\x99s current procedures for        managing its laptop computer inventory and\n    managing laptop computers, including hard drives, or      to define policy for the disposal of hard\n    DIT\xe2\x80\x99s current business environment. In addition,          drives.\n    Circular 1380.3 does not define the FDIC\xe2\x80\x99s policy for\n    the disposal of laptop computer hard drives. The lack\n    of current policies and procedures in these areas\n    limits the FDIC\xe2\x80\x99s assurance that its laptop computer\n    inventory, including hard drives that may contain\n    sensitive information, are effectively managed\n    (FDIC Policies and Procedures for Managing the\n    Laptop Computer Inventory).\n\n    Current hard drive destruction practices present a risk   Implement additional measures that\n    that a computer hard drive could be lost and subject      mitigate the risk of a computer hard drive\n    to unauthorized access (Hard Drive Destruction            being lost during the destruction process\n    Practices).                                               and subject to unauthorized access.\n\n    Remedy\xc2\xae lacks sufficient access controls to ensure        Implement access controls and establish\n    that complete and accurate inventory records are          Remedy\xc2\xae procedures to track and record\n    maintained for the FDIC\xe2\x80\x99s laptop computers.               the replacement of laptop computers\n    Further, Remedy\xc2\xae does not track replacement               returned to the vendor for service.\n    laptops for malfunctioning computers. These control\n    deficiencies limit the FDIC\xe2\x80\x99s assurance regarding the\n    integrity of its laptop computer inventory (The\n    FDIC\xe2\x80\x99s Asset Management Module).\n\n\n\n    6\n     We tested the laptop computer deployment process at FDIC locations in Arlington, Virginia;\n    Washington, D.C.; Atlanta, Georgia; New York, New York; Chicago, Illinois; and Madison, Wisconsin.\n\n\n                                                      5\n\x0cFDIC POLICIES AND PROCEDURES FOR MANAGING THE LAPTOP COMPUTER\nINVENTORY\n\n      The FDIC issued Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset\n      Management, dated April 13, 1999, for the purpose of establishing policies and\n      procedures for all FDIC-owned laptop computers throughout their life cycle. However,\n      the circular does not reflect the FDIC\xe2\x80\x99s current business environment for managing its\n      laptop computer inventory. In addition, Circular 1380.3 does not define the FDIC\xe2\x80\x99s\n      policy for the disposal of laptop computer hard drives. The lack of current policies and\n      procedures in these areas limits the FDIC\xe2\x80\x99s assurance that its laptop computer inventory,\n      including hard drives that may contain sensitive information, are effectively managed.\n\n\nChanges in the FDIC\xe2\x80\x99s Business Environment and Procedures for Managing Laptop\nComputers\n\n      Circular 1380.3 does not reflect the FDIC\xe2\x80\x99s current business environment or procedures\n      for managing laptop computers. For example, Circular 1380.3:\n\n         \xe2\x80\xa2   References the Information Technology Asset Management System (ITAMS) as\n             the FDIC\xe2\x80\x99s laptop inventory system. However, ITAMS was replaced by\n             Remedy\xc2\xae in June 2004.\n\n         \xe2\x80\xa2   Requires that all laptops moved in and out of FDIC facilities be inspected by\n             FDIC security personnel. However, according to FDIC Security and Emergency\n             Preparedness officials, this practice has been discontinued for FDIC employees.\n\n         \xe2\x80\xa2   Requires equipment authorization tags to be fastened to the outside of laptop\n             computer cases and to be visible at all times. However, this practice is no longer\n             employed.\n\n         \xe2\x80\xa2   Assigns the responsibility for periodic and annual inventories nationwide to the\n             Chief, Logistics Management Section, to ensure the accuracy of inventory records\n             for all FDIC-owned laptops. However, this position no longer exists, and no other\n             FDIC circular assigns this responsibility.\n\n         \xe2\x80\xa2   References the Division of Information Resources Management (DIRM), which\n             was restructured as DIT in 2005.\n\n\n\n\n                                                  6\n\x0cLaptop Computer Hard Drives\n\n      The DIT Guidelines that were developed specifically for the 2007 replacement and\n      disposal of laptop computers contain detailed procedures to safeguard hard drives\n      removed from laptop computers. However, Circular 1380.3 does not address the FDIC\xe2\x80\x99s\n      policy for the disposal of hard drives. During our review of the 2007 laptop deployment,\n      DIT officials informed us that ensuring control over hard drives was a major concern\n      because of sensitive information they may contain. The FDIC can achieve greater\n      assurance regarding the disposal of computer hard drives and promote adherence to NIST\n      security guidelines by addressing the disposal of hard drives in corporate policy.\n\n\nRecommendation on FDIC Policies and Procedures for Managing the Laptop Computer\nInventory\n\n      We recommend that the Chief Information Officer (CIO):\n\n      (1) Update Circular 1380.3 to reflect the FDIC\xe2\x80\x99s current business environment for\n          managing its laptop computer inventory and to define policy for the disposal of hard\n          drives.\n\n\nHARD DRIVE DESTRUCTION PRACTICES\n\n      DIT disposed of laptop computer hard drives from the 2007 laptop deployment effort by\n      transporting them to a suburban Washington, D.C., recycling facility for destruction.\n      However, many of the hard drives had not been drilled, as a security precaution, prior to\n      their transport to the recycling facility, presenting a risk that a computer hard drive could\n      be lost during the destruction process and subject to unauthorized access.\n\n\nCurrent Destruction Process for Hard Drives\n\n      Consistent with FISMA, NIST Special Publication 800-53 Revision 1, Recommended\n      Security Controls for Federal Information Systems, recommends that organizations\n      employ appropriate sanitization techniques for their information system media to prevent\n      the disclosure of organizational information to unauthorized individuals when such media\n      are reused or disposed of.\n\n      On January 15, 2008, we accompanied an SRA employee to the recycling facility to\n      observe the destruction of approximately 200 laptop computer hard drives. According to\n      the SRA employee, these hard drives were from FDIC headquarters, regional, and field\n      offices. DIT Guidelines require that hard drives from regional and field offices be drilled\n      prior to shipment to the DDC. However, DIT Guidelines do not require that hard drives\n      removed from laptops in headquarters offices be drilled prior to being transported for\n      shredding. The destruction process at the recycling facility involved placing the\n\n\n\n                                                    7\n\x0c      computer hard drives into cardboard boxes and then placing the boxes into an automobile\n      that was about to be destroyed. An industrial crane was then used to compact the\n      automobile and transport it to a conveyer belt, which then fed the automobile into an\n      industrial shredder. However, as the automobile was being transported to the conveyer\n      belt, we observed what appeared to be hard drives falling out of the automobile onto a\n      large trash heap in the recycling facility\xe2\x80\x99s scrap yard. Because many of the hard drives\n      had not been drilled prior to being placed in the automobile, there is a risk that one or\n      more of them may not have been destroyed and could be lost and subject to unauthorized\n      access.\n\n\nPlans for Destroying Additional Hard Drives\n\n      DIT recently deployed Pointsec, which automatically encrypts sensitive information\n      stored on laptop computer hard drives. Pointsec significantly reduces the risk of a\n      compromise of sensitive information whenever a laptop computer is lost or stolen.\n      However, the computer hard drives destroyed on January 15, 2008 were removed from\n      laptop computers that did not have the automatic encryption software. As a result, these\n      laptop computer hard drives may have contained sensitive information in an unencrypted\n      format. DIT plans to destroy a large number of other laptop computer hard drives, in the\n      near future, that may also contain sensitive information in an unencrypted format.\n      Accordingly, DIT should implement additional measures to mitigate the risk of a\n      computer hard drive being lost during the destruction process and subject to unauthorized\n      access. In this manner, the FDIC can reduce the risk of an unauthorized disclosure of\n      sensitive information that could lead to potential legal liability or public embarrassment\n      to the Corporation.\n\n\nRecommendation on Hard Drive Destruction Practices\n\n      We recommend that the CIO:\n\n      (2) Implement additional measures that mitigate the risk of a computer hard drive being\n          lost during the destruction process and subject to unauthorized access.\n\n\nTHE FDIC\xe2\x80\x99s ASSET MANAGEMENT MODULE\n\n      The FDIC uses the Remedy\xc2\xae Asset Management Module to manage its inventory of\n      laptop computers. However, Remedy\xc2\xae lacks sufficient access controls to ensure that\n      complete and accurate inventory records are maintained for the FDIC\xe2\x80\x99s laptop computers.\n      In addition, Remedy\xc2\xae does not track replacement laptop computers when a\n      malfunctioning laptop, assigned to a user, is returned to the vendor for service. As a\n      result, the FDIC cannot ensure the effective accountability for, and control of, laptop\n      computers.\n\n\n\n\n                                                  8\n\x0cData Controls in the Remedy\xc2\xae Inventory System\n\n      During the 2007 laptop computer deployment, personnel who conducted the laptop\n      replacement had unrestricted access to the laptop asset record in Remedy\xc2\xae. Specifically,\n      13 SRA employees in the FDIC\xe2\x80\x99s headquarters offices and at least 40 DIT personnel at\n      FDIC regional and field offices could edit inventory records in Remedy\xc2\xae related to the\n      laptop inventory without authorization or supervisory review. Further, DIT personnel in\n      the regional and field offices stated that without their knowledge, inventory records could\n      be modified by DIT personnel in Washington, D.C. NIST SP 800-53 Revision 1,\n      Recommended Security Controls for Federal Information Systems, 7 dated December\n      2006, includes recommended security controls for federal information systems to enforce\n      the separation of duties through assigned access authorizations.\n\n      To DIT\xe2\x80\x99s credit, it had identified concerns related to Remedy\xc2\xae and its IT asset inventory\n      processes prior to our audit. To address these concerns, DIT contracted with an\n      independent firm to conduct a review of the Corporation\xe2\x80\x99s IT asset management\n      processes. The firm reported to DIT in January 2008, 8 that Remedy\xc2\xae does not contain\n      adequate controls over changes in IT asset records. The report states that Remedy\xc2\xae roles\n      should be restricted based on the principle of least privilege. 9 To compensate for the lack\n      of access control, the firm recommended that asset record changes be saved and held\n      pending supervisory review and approval. DIT officials informed us that they intend to\n      implement corrective actions to address the firm\xe2\x80\x99s recommendations. Such actions would\n      provide DIT management greater assurance regarding the integrity of the FDIC\xe2\x80\x99s laptop\n      computer inventory. Therefore, we are not making recommendations related to this area.\n\n\nLaptops Returned to the Vendor\n\n      FDIC Circular 1380.3 requires that current and accurate records for the receipt, transfer,\n      disposal, and adjustment of laptop assignments be maintained. Although Remedy\xc2\xae\n      tracks the status of laptop computer deployments, the system does not provide a link\n      between a laptop returned to the vendor and the replacement laptop to ensure that laptop\n      inventory records are accurate.\n\n      To illustrate, a laptop computer deployed to an FDIC employee would be coded as\n      \xe2\x80\x9cdeployed,\xe2\x80\x9d and a laptop being stored by DIT for future use would be coded in Remedy\xc2\xae\n      as \xe2\x80\x9cin inventory.\xe2\x80\x9d Another code, \xe2\x80\x9creturned to vendor\xe2\x80\x9d was used for 426 FDIC laptops.\n      According to DIT officials, a computer coded as \xe2\x80\x9creturned to vendor\xe2\x80\x9d indicates that the\n      malfunctioning laptop was kept by the vendor and that the FDIC received a replacement\n      laptop for which a separate record was created in the Remedy\xc2\xae inventory. However,\n      Remedy\xc2\xae does not provide a crosswalk, for example, a code, to indicate which laptop the\n      7\n        Although the FDIC\xe2\x80\x99s information systems do not fall within the SP 800-53 definition of federal\n      information systems, we believe the guidance in that publication provides a best practice for the FDIC to\n      consider in managing its information systems.\n      8\n        The firm\xe2\x80\x99s report is entitled FDIC IT Asset Analysis.\n      9\n        Under the principle of least privilege, the information system enforces the most restrictive set of\n      rights/privileges or accesses needed by users for the performance of specified tasks.\n\n\n                                                           9\n\x0c      vendor provided as the replacement laptop. Therefore, the FDIC does not have the\n      records to adequately assure that the FDIC received a replacement laptop for each\n      computer that was coded \xe2\x80\x9creturned to vendor.\xe2\x80\x9d DIT should establish procedures to track\n      replacement laptop computers for those computers that have been returned to the vendor.\n\n\nRecommendation on Procedures for Tracking Replacement Laptops\n\n      We recommend that the CIO:\n\n      (3) Establish procedures to track and record the replacement of laptop computers\n          returned to the vendor for replacement or service.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n      On March 7, 2008, the CIO and Director, DIT, provided a written response to the draft of\n      this report. Management\xe2\x80\x99s response is presented in its entirety in Appendix 2.\n      Management concurred with our findings and recommendations.\n\n      In response to recommendation 1, DIT stated that it will revise Circular 1380.3 as part of\n      a larger asset management documentation project. In response to recommendation 2,\n      DIT has already advised the DDC that all hard drives must be rendered physically\n      disabled prior to being sent off-site for shredding. Furthermore, DIT is updating the\n      documentation on hard drive disposal for all equipment and updating procedures to\n      render all hard drives inoperable prior to storage for disposal. In response to\n      recommendation 3, DIT will develop procedures for tracking assets returned to the\n      vendor and replacement assets sent to the FDIC.\n\n      A summary of management\xe2\x80\x99s response to the recommendations is in Appendix 3. DIT\xe2\x80\x99s\n      planned actions are responsive to our recommendations. The recommendations are\n      resolved but will remain open until we determine that the agreed-to corrective actions\n      have been completed and are responsive.\n\n\n\n\n                                                  10\n\x0c                                                                                          APPENDIX 1\n\n                              OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\n      The audit objective was to determine whether the FDIC had established and implemented\n      adequate controls over the replacement and disposal process for laptop computers. We\n      conducted this performance audit from September 2007 through January 2008 in accordance\n      with generally accepted government auditing standards. Those standards require that we plan\n      and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\n      our findings and conclusions based on our audit objectives. We believe that the evidence\n      obtained provides a reasonable basis for our findings and conclusions based on our audit\n      objectives.\n\n\nScope and Methodology\n\n      The audit included an assessment of the FDIC\xe2\x80\x99s plans and procedures for the replacement and\n      disposal of laptop computers during 2007. We conducted fieldwork at FDIC headquarters\n      locations in Arlington, Virginia; and Washington, D.C.; FDIC regional and field offices in\n      Atlanta, Georgia; New York, New York; and Chicago, Illinois, and one additional field office in\n      Madison, Wisconsin. We conducted tests of the FDIC\xe2\x80\x99s laptop deployment for the FDIC\xe2\x80\x99s field\n      offices in Eau Claire, Appleton, and Milwaukee, Wisconsin; and Shelby, Alabama.\n\n      To accomplish the audit objective, we performed the following:\n\n            \xe2\x80\xa2   Reviewed various guidelines as follows:\n\n                   -   Division of Information Technology Guidelines for New Laptop Deployment,\n                       dated July 2007.\n\n                   -   FDIC Circular 3200.1, Disposition of Corporation-Owned Property, dated\n                       August 25, 2004.\n\n                   -   FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007.\n\n                   -   FDIC Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset\n                       Management, dated April 13, 1999.\n\n                   -   FISMA.\n\n                   -   NIST SP 800-88, Guidelines for Media Sanitization, dated September 2006.\n\n                   -   NIST SP 800-53 Revision 1, Recommended Security Controls for Federal\n                       Information Systems, dated December 2006.\n\n\n\n\n                                                       11\n\x0c                                                                                            APPENDIX 1\n\n\n          \xe2\x80\xa2   Interviewed FDIC employees and SRA contractors regarding the FDIC\xe2\x80\x99s procedures for\n              the replacement and deployment of laptop computers.\n\n          \xe2\x80\xa2   Verified the storage procedures for 100 percent of the hard drives at the locations noted\n              earlier.\n\n          \xe2\x80\xa2   Verified receipt of the 3,905 Lenovo T60 laptop computers, purchased under SRA\n              Purchase Order 9010166, to the vendor\xe2\x80\x99s shipping confirmations.\n\n          \xe2\x80\xa2   Reconciled the vendor\xe2\x80\x99s shipping confirmations for the 3,905 laptop computers to the\n              FDIC\xe2\x80\x99s Remedy\xc2\xae inventory.\n\n          \xe2\x80\xa2   Verified the completion of signed hand bills for the deployment of 500 judgmentally\n              sampled laptops.\n\n          \xe2\x80\xa2   Verified the accuracy of signed hand bills for the deployment of 100 judgmentally\n              sampled laptops.\n\n          \xe2\x80\xa2   Observed DIT\xe2\x80\x99s hard drive disposition procedures at FDIC regional and field offices.\n\n          \xe2\x80\xa2   Reconciled hard drive inventory records to disposal records for used laptops.\n\n          \xe2\x80\xa2   Reconciled documentation for used laptop shipments to with the FDIC\xe2\x80\x99s records.\n\n          \xe2\x80\xa2   Verified background investigations for SRA personnel.\n\n          \xe2\x80\xa2   Observed hard drive shredding procedures by the FDIC\xe2\x80\x99s DDC.\n\n          \xe2\x80\xa2   Assessed DIT\xe2\x80\x99s procedures for tracking laptop computers returned to the vendor.\n\n      In addition, prior to our audit, DIT contracted for a review of the FDIC\xe2\x80\x99s IT asset inventory\n      control process, including the verification of selected aspects of the IT asset inventory, such as\n      the laptop computer inventory controls. Accordingly, we did not perform audit procedures\n      already covered by that review.\n\n\nInternal Control\n\n      We evaluated the effectiveness of controls in place for the replacement and disposal of laptop\n      computers. These controls included policies and procedures contained in many of the documents\n      listed above. In the absence of written policies, we relied on interviews with, and information\n      obtained from, DIT officials.\n\n      DIT did not separately inventory the hard drives of the FDIC\xe2\x80\x99s laptop computers. The FDIC\n      deployed Pointsec in 2007 to automatically encrypt sensitive information stored on laptop\n      computer hard drives. Such software significantly reduces the risk of a compromise of sensitive\n      information whenever a laptop computer is lost or stolen.\n                                                       12\n\x0c                                                                                              APPENDIX 1\n\n\nReliance on Computer-processed Information\n\n      For purposes of the audit, we did not rely on computer-processed information to support our\n      audit findings, conclusions, or recommendations. Our assessment centered on records related to\n      the replacement and disposal of laptop computers and hard drives. In addition, DIT had\n      contracted with an independent firm to test data and selected information systems controls in the\n      Remedy\xc2\xae Asset Management Module, which contains an inventory of FDIC laptop computers.\n      Accordingly, we did not consider it necessary to develop procedures to assess those controls.\n\n\nCompliance with Laws and Regulations, Government Performance and Results Act, and Fraud or\nAbuse\n\n      We reviewed applicable laws and regulations related to the FDIC\xe2\x80\x99s replacement and disposal\n      process for laptop computers. We found no instances where the FDIC was not in compliance\n      with applicable laws and regulations, but we did note areas for improvement as described in the\n      report.\n\n      We reviewed DIT\xe2\x80\x99s performance measures under the Government Performance and Results Act,\n      Public Law 103-62. We also reviewed the FDIC\xe2\x80\x99s 2007 Annual Performance Plan, the FDIC\xe2\x80\x99s\n      Strategic Plan for 2005-2010, and DIT\xe2\x80\x99s Balanced Scorecard to determine whether the FDIC has\n      established goals related to its laptop replacement and disposal process. Neither the annual plan\n      nor the strategic plans include goals, objectives, or indicators specifically related to the subject of\n      our audit.\n\n      We assessed the risk of fraud and abuse related to the audit objective in the course of evaluating\n      audit evidence.\n\n\n\n\n                                                        13\n\x0c\x0c     APPENDIX 2\n\n\n\n\n15\n\x0c                                                                                                   APPENDIX 3\n\n                     MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\nThis table presents the management response on the recommendations in our report and the\nstatus of the recommendations as of the date of report issuance.\n    Rec. No.        Corrective Action: Taken               Expected        Monetary     Resolved: a        Open or\n                          or Planned                      Completion       Benefits     Yes or No          Closed b\n                                                              Date\n       1       DIT will revise Circular 1380.3 to         Dec. 31, 2008      N/A           Yes              Open\n               reflect the FDIC\xe2\x80\x99s current business\n               environment for managing its laptop\n               computer inventory and to define\n               policy for the disposal of hard drives.\n\n       2       DIT is updating the documentation         April 15, 2008      N/A           Yes              Open\n               on hard drive disposal for all\n               equipment. Specifically, DIT is\n               reviewing and updating procedures to\n               state that all hard drives must be\n               rendered inoperable prior to storage\n               for disposal.\n\n       3       DIT will develop procedures for           August 31, 2008     N/A           Yes              Open\n               tracking assets returned to the vendor\n               and replacement assets sent to the\n               FDIC.\n\na\n    Resolved - (1) Management concurs with the recommendation, and the planned corrective action is consistent\n                   with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable\n                   to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive, the\n    recommendation can be closed.\n\n\n\n\n                                                           16\n\x0c'